Skip to content

Commit

Permalink
Retain multiple SrcFile and identity evidences
Browse files Browse the repository at this point in the history 
Signed-off-by: Prabhu Subramanian <[email protected]>
  • Loading branch information
@prabhu
prabhu committed Dec 9, 2024
1 parent 8a40695 commit fca5144
Show file tree
Hide file tree
Showing 2 changed files with 53 additions and 1 deletion.
52 changes: 52 additions & 0 deletions lib/cli/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -918,8 +918,22 @@ function addComponent(
pkg.evidence.identity &&
!Array.isArray(pkg.evidence.identity)
) {
// Automatically add concludedValue
if (pkg.evidence.identity?.methods?.length === 1) {
pkg.evidence.identity.concludedValue =
pkg.evidence.identity.methods[0].value;
}
component.evidence.identity = [pkg.evidence.identity];
}
// Convert evidence.identity section to an object for 1.5
if (
options.specVersion === 1.5 &&
pkg.evidence &&
pkg.evidence.identity &&
Array.isArray(pkg.evidence.identity)
) {
component.evidence.identity = pkg.evidence.identity[0];
}
}
// Upgrade authors section
if (options.specVersion >= 1.6 && component.author) {
Expand Down Expand Up @@ -4947,6 +4961,7 @@ export function createPHPBom(path, options) {
const retMap = parseComposerLock(f, rootRequires);
if (retMap.pkgList?.length) {
pkgList = pkgList.concat(retMap.pkgList);
pkgList = trimComponents(pkgList);
}
if (retMap.dependenciesList) {
if (moduleParent?.["bom-ref"]) {
Expand Down Expand Up @@ -5598,6 +5613,43 @@ export function trimComponents(components) {
existingComponent.properties = comp.properties;
}
}
// Retain all component.evidence.identity
if (comp?.evidence?.identity) {
if (!existingComponent.evidence) {
existingComponent.evidence = { identity: [] };

Check warning

Code scanning / CodeQL

Prototype-polluting assignment Medium

This assignment may alter Object.prototype if a malicious '__proto__' string is injected from
user controlled input
Loading
.
This assignment may alter Object.prototype if a malicious '__proto__' string is injected from
user controlled input
Loading
.
} else if (
existingComponent?.evidence?.identity &&
!Array.isArray(existingComponent.evidence.identity)
) {
existingComponent.evidence.identity = [
existingComponent.evidence.identity,
];
}
// comp.evidence.identity can be an array or object
// Merge the evidence.identity based on methods or objects
const identities = Array.isArray(comp.evidence.identity)
? comp.evidence.identity
: [comp.evidence.identity];
for (const aident of identities) {
let methodBasedMerge = false;
if (aident?.methods?.length) {
for (const amethod of aident.methods) {
for (const existIdent of existingComponent.evidence.identity) {
if (existIdent.field === aident.field) {
if (!existIdent.methods) {
existIdent.methods = [];
}
existIdent.methods.push(amethod);
methodBasedMerge = true;
}
}
}
}
if (!methodBasedMerge && aident.field && aident.confidence) {
existingComponent.evidence.identity.push(aident);
}
}
}
// If the component is required in any of the child projects, then make it required
if (
existingComponent?.scope !== "required" &&
Expand Down
2 changes: 1 addition & 1 deletion types/lib/cli/index.d.ts.map
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit fca5144

Please sign in to comment.